Overview

overview

10

Static

static

Revised In...2.xlsx

windows7_x64

10

Revised In...2.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Revised Invoice 2.xlsx

  • Size

    1.6MB

  • Sample

    210118-x5v4254wlx

  • MD5

    69d884cc2d163ba2d507788585d1086b

  • SHA1

    1c7ce94039307d82b0c29e796db6eec476f01e37

  • SHA256

    a5235bf234f4199d7db1d947e38e85953372a6aa9abd6f1eabcd2fabf12eba87

  • SHA512

    2cdd0d2f2adfe026df2ae2efc5416d5009ff5ab2000a385d0415dd2bf7b86198aa085e53d1e69d64c3f493f74d0f060b18054a42a320761e42329385783b4402

Score
10/10
lokibotspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://blueriiver-eu.com/zoro/zoro4/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Revised Invoice 2.xlsx

    • Size

      1.6MB

    • MD5

      69d884cc2d163ba2d507788585d1086b

    • SHA1

      1c7ce94039307d82b0c29e796db6eec476f01e37

    • SHA256

      a5235bf234f4199d7db1d947e38e85953372a6aa9abd6f1eabcd2fabf12eba87

    • SHA512

      2cdd0d2f2adfe026df2ae2efc5416d5009ff5ab2000a385d0415dd2bf7b86198aa085e53d1e69d64c3f493f74d0f060b18054a42a320761e42329385783b4402

    Score
    10/10
    lokibotspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks